08-09-2021, 08:29 AM
(08-09-2021, 08:12 AM)EspeciallyDirect Wrote: I'm putting this here because I'm not sure if this deserves its own thread.
I think this could have been put on its own thread, it's an interesting discussion that should be had. After all, one of the benefits of an open source phone is its security.
(08-09-2021, 08:12 AM)EspeciallyDirect Wrote: Some people on other sites have voiced concern that this shipment of pinephones has been subject to "Method Interdiction".
Which sites have people voiced this concern on? Why didn't they come here?
(08-09-2021, 08:12 AM)EspeciallyDirect Wrote: Obviously, without leaks, we'll see no proof of this, but New Zealand does have intelligence-sharing agreements with several other countries, and it's not exactly a secret that many of the people who buy these phones did so out of a desire to escape the problems android and iOS devices have with sending gobs of user data to the servers of large corporations.
The shipment really spent just a day or something in New Zealand, I can promise you New Zealand does not have the infrastructure for such an operation. Doing this would require a lot of time and financial investment - something I really doubt big government agencies would bother with. More interesting to them would be a server, for example.
Usually these types of attacks would be a combination of hardware and software - the software is likely to be re-flashed as soon as it arrives (and I recommend you do so).
(08-09-2021, 08:12 AM)EspeciallyDirect Wrote: Fortunately, there's published images of the PCB you can compare it to so you can check for hardware modifications.
Equally, if you are seriously considering the Five Eyes in your threat model, I would consider every single place and Country the phone visits on its journey to you, including the factory. Equally, it would be much easier to change the PCB or software and introduce bugs there. For example, if you introduce a bug into SSH or OpenSSL, you get all Linux phones and servers at the same time. Factories are also not entirely unknown to pre-install viruses for example.
(08-09-2021, 08:12 AM)EspeciallyDirect Wrote: Also, that would probably cause a longer delay if they were to physically replace components but you can't be sure since other things could very well cause the pallet to sit there for over a month.
They were literally there for a day or so, something that @lukasz can likely confirm.
(08-09-2021, 08:12 AM)EspeciallyDirect Wrote: But if I were you I'd treat these things as any computer if you're concerned about that: load a new operating system before doing anything else. Overwrite the EMMC with random data (dd if=/dev/urandom) to be really, really sure.
It really depends on your threat model.
(08-09-2021, 08:12 AM)EspeciallyDirect Wrote: I would hope Pine64 can inspect the phones before they ship to customers but I'm aware that might be infeasible.
I doubt this is possible and if anything, it will just delay the time it takes to get your device and introduce further potential points to introduce issues.